TeamTNT Adds Detection-Evasion Tools to its Arsenal


Monday, February 1st, 2021 | , ,

TeamTNT is a cybercrime group known for cloud-based attacks and has targeted Amazon Web Services credentials in order to gain access to the cloud for use in the mining of Monero. Their previous targets also include Docker and Kubernetes cloud instances.

Their new evasion tool would help their crypomining malware to avoid detection. Named ‘libprocesshider,’ it is an open-source tool hosted on GitHub since 2014 and is described as having capabilities to hide a process under Linux using the ld preloader. The new tool is delivered within a base64-encoded script, hidden in the TeamTNT cryptominer binary, or via its Internet Relay Chat (IRC) bot, called TNTbotinger, which is capable of distributed denial of service (DDoS) attacks.

In the attack chain, after the base64-encoded script is downloaded, it runs through multiple tasks. These include modifying the network DNS configuration, setting persistence (through systemd), downloading the latest IRC bot configuration, clearing evidence of activities – and dropping and activating libprocesshider. The tool is dropped as a hidden Tape Archive file (also known as the Tar format, which is used for open-source software distribution) on the disk and then decompressed by the script and written to ‘/usr/local/lib/systemhealt.so’. libprocesshider then aims to hides the malicious process from process information programs such as `ps’ and `lsof.’

These are both process-viewer tools, which use the file ‘/usr/bin/sbin. The ‘ps’ program (short for “process status”) displays currently running processes in many Unix-like operating systems; meanwhile, ‘lsof’ is a command (short for “list open files”), also utilized in Unix-like operating systems to, as the name suggests, report a list of all open files and the processes that opened them. Hiding the process from these two process-viewer tools would allow the attacker to cloak its malicious activity.

libprocesshider uses a process called preloading to hide its activity from ‘ps’ and ‘lsof.’ This process allows the system to load a custom shared library before other system libraries are loaded.

TeamTNT is known for deploying various updates to its signature malware, including a new memory unloader recently discovered, which was written in Golang and based on Ezuri.

Last August, TeamTNT’s cryptomining worm was discovered spreading through the AWS cloud and collecting credentials. Then, after a hiatus, the TeamTNT group returned in September to attack Docker and Kubernetes cloud instances by abusing a legitimate cloud-monitoring tool called Weave Scope.

Further Reading:

Share this: